Sarbanes-Oxley Compliance Services
What you should know about
SOX and Miles Consulting's SOX services
If you have a company that's gone public or will go public, the Sarbanes-Oxley Act
affects you. Named after Senator Paul Sarbanes and Representative Michael G. Oxley,
the act (officially titled the Public Company Accounting Reform and Investor Protection
Act of 2002) became a law in July 2002 in response to the Enron scandal and other
examples of unethical behavior in the business community.
The act imposes strict financial reporting requirements on publicly traded companies,
holding them to a new level of accountability. Those companies must implement, if
not already in place, policies and controls that demonstrate to investors the use
of best practices in managing financial systems as well as in protecting corporate
data and access to that data.
IT systems are the tool with which companies manage financial systems. That means,
given the law, systems are to be audited and companies must remediate issues to
meet the spirit of the law. Checking compliance usually falls to third party auditors
from well-established accounting firms.
Three numbers that can impact
The Sarbanes-Oxley Act features numerous sections; however, three of them—302, 404
and 409—offer the greatest potential impact on companies and how the companies conduct
Section 404 requires an Internal Control Report to be included in all annual financial
reports. Created by a company's auditor, the document must present management's
assertions about the design and operational effectiveness of internal controls at
year end. Management must also evaluate the effectiveness of internal controls over
financial reporting and disclosure controls on a quarterly basis.
With Section 302, the CEO and CFO of a company are responsible for the accuracy,
documentation and submission of financial reports and internal control structure
to the SEC. Certifications signed by those two principal officers must be included
in the annual or quarterly reports.
Information must be accumulated and summarized for timely assessment and disclosure
in accordance to the SEC's rules and regulations. When Section 404 compliance is
required in about a year, companies must be able to disclose on a near real-time
basis—up to 48 hours—any changes in their financial condition or operations.
Section 404 and IT.
We're often engaged only for a
SOX IT Audit. In general, Section 404 is the tallest mountain to climb,
with key areas regarding IT controls:
Read more about
challenges with Sarbanes-Oxley Compliance
- Change Management
Companies must provide visibility over changes in the IT environment and enable
the ability to initiate, authorize, manage and implement all IT changes through
a systematic change process.
A process must be deployed to identify critical data and to duplicate, store and
recover data as needed.
A process must be deployed to ensure the integrity of information and secure applications,
databases, operating systems, internal network access and perimeter network.
Companies must deliver thorough documentation to cover change management, back up
and security policies and processes.
Companies must have solutions to fill gaps in change management, backup and security.